In an interview, Trusteer executive Dana Tamir discussed what she said are the three most common ways employees are persuaded to give up their credentials. She also itemized defense strategies for credit unions.

But, first, Tamir issued a warning: “Financial institution employees have always been targeted by criminals and this is happening now.”

Method one for capturing employee log-in credentials, said Tamir, is key-logging, where malware captures keystrokes as they are entered, then later transmits its findings back to control. This usually gets its start when an employee inadvertently downloads toxic software to his/her computer.

“The second method involves a phishing site,” said Tamir and this is a fake site created to resemble a real one, such as an employee portal.

Type in a username and password and the criminal has gotten exactly what he sought. Typically, the employee is lured to the site by a misleading email that may, for instance, appear to be from Human Resources.

The third technique, said Tamir, is where a criminal uses a database of usernames and passwords from a hacked site – such as the recent Adobe hack – then tests those logins at other sites. The logic is that often a user will use the same log in at many other sites.

As for preventative steps, Tamir said: “Education is good but not enough. There need to be more controls.” She pointed, for instance, to Trusteer tools that will prevent an employee from using his/her business log-in credentials to log in at other sites.

More advice from her is to never log into sensitive information from unprotected machines.